doorkeeper-openid_connect 1.6.2 → 1.7.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (54) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +59 -1
  3. data/README.md +11 -0
  4. data/app/controllers/doorkeeper/authorizations_controller.rb +17 -0
  5. data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb +25 -19
  6. data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb +5 -1
  7. data/config/locales/en.yml +1 -0
  8. data/lib/doorkeeper/oauth/id_token_request.rb +8 -12
  9. data/lib/doorkeeper/oauth/id_token_response.rb +2 -0
  10. data/lib/doorkeeper/oauth/id_token_token_request.rb +2 -0
  11. data/lib/doorkeeper/oauth/id_token_token_response.rb +2 -0
  12. data/lib/doorkeeper/openid_connect.rb +26 -1
  13. data/lib/doorkeeper/openid_connect/claims/aggregated_claim.rb +2 -0
  14. data/lib/doorkeeper/openid_connect/claims/claim.rb +6 -4
  15. data/lib/doorkeeper/openid_connect/claims/distributed_claim.rb +2 -0
  16. data/lib/doorkeeper/openid_connect/claims/normal_claim.rb +2 -0
  17. data/lib/doorkeeper/openid_connect/claims_builder.rb +3 -1
  18. data/lib/doorkeeper/openid_connect/config.rb +20 -10
  19. data/lib/doorkeeper/openid_connect/engine.rb +2 -0
  20. data/lib/doorkeeper/openid_connect/errors.rb +4 -3
  21. data/lib/doorkeeper/openid_connect/helpers/controller.rb +60 -28
  22. data/lib/doorkeeper/openid_connect/id_token.rb +4 -2
  23. data/lib/doorkeeper/openid_connect/id_token_token.rb +2 -0
  24. data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb +25 -8
  25. data/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb +4 -2
  26. data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb +3 -1
  27. data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb +24 -3
  28. data/lib/doorkeeper/openid_connect/oauth/token_response.rb +3 -1
  29. data/lib/doorkeeper/openid_connect/orm/active_record.rb +2 -0
  30. data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb +3 -1
  31. data/lib/doorkeeper/openid_connect/orm/active_record/request.rb +5 -3
  32. data/lib/doorkeeper/openid_connect/rails/routes.rb +3 -1
  33. data/lib/doorkeeper/openid_connect/rails/routes/mapper.rb +2 -0
  34. data/lib/doorkeeper/openid_connect/rails/routes/mapping.rb +2 -0
  35. data/lib/doorkeeper/openid_connect/response_mode.rb +30 -0
  36. data/lib/doorkeeper/openid_connect/response_types_config.rb +2 -2
  37. data/lib/doorkeeper/openid_connect/user_info.rb +2 -0
  38. data/lib/doorkeeper/openid_connect/version.rb +3 -1
  39. data/lib/doorkeeper/request/id_token.rb +2 -0
  40. data/lib/doorkeeper/request/id_token_token.rb +2 -0
  41. data/lib/generators/doorkeeper/openid_connect/install_generator.rb +4 -2
  42. data/lib/generators/doorkeeper/openid_connect/migration_generator.rb +3 -1
  43. data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb +19 -5
  44. data/lib/generators/doorkeeper/openid_connect/templates/migration.rb.erb +3 -2
  45. metadata +33 -34
  46. data/.gitignore +0 -8
  47. data/.ruby-version +0 -1
  48. data/.travis.yml +0 -34
  49. data/CONTRIBUTING.md +0 -45
  50. data/Gemfile +0 -11
  51. data/Rakefile +0 -24
  52. data/bin/console +0 -9
  53. data/bin/setup +0 -8
  54. data/doorkeeper-openid_connect.gemspec +0 -30
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ad886e65fd13b81ceb33165b6108992890073e9069524d383ee45948f64a2b17
4
- data.tar.gz: c1aaff72cbf9031e456c8f022845ce680799a1eadf6ec6ef171357bd1064f1fd
3
+ metadata.gz: ab0de01b3be4241280fd4846f9c38b4c915685918a6401e464dce609fb588ace
4
+ data.tar.gz: 999e38663483020d9c84b525f38842e0d9a5811c72ddfd04bdb7c86e1e018b2a
5
5
  SHA512:
6
- metadata.gz: '08aa15acd68b90ebb2dadab4f50a3718a71a13a9fe7a6b6c3f628dfee1ffe85e8c10ac98217ff1b8c33e8afaacbf4ec392043c5ac6b3d27e5516ed5070bf5956'
7
- data.tar.gz: 1ed88f7c7b84daa5bd95c71ebba114a1bda3e0a1985e4187854113db3f3c2454ac62451e7d581ccfd41de4419eadf64008a920cc540963e6c5a73561351f238f
6
+ metadata.gz: '09f0860be72310e44989febad8997e4fce1a82bf8d2986cfa3dfe56a0c9e55414d74f19a6dae35636aa5871c5778baad7b8776627835a30bd356bbb251fc4e32'
7
+ data.tar.gz: d6d42d010bd3e216dd1f1c84d60f86b4944f43a64d48db2cd613fddb189c7ac6ef079b713a86dd0b95a3551756b15a4868287c1af836fc0ada87efc6e1efc630
@@ -1,6 +1,64 @@
1
1
  ## Unreleased
2
2
 
3
- No changes yet.
3
+ ## v1.7.3 (2020-07-06)
4
+
5
+ - [#111] Add configuration callback `select_account_for_resource_owner` to support the `prompt=select_account` param
6
+ - [#112] Add grant_types_supported to discovery response
7
+ - [#114] Fix user_info endpoint when used in api mode
8
+ - [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
9
+ - [#117] Fix migration template to use Rails migrations DSL for association.
10
+ - [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
11
+ - [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
12
+
13
+ ## v1.7.2 (2020-05-20)
14
+
15
+ ### Changes
16
+
17
+ - [#108] Add support for Doorkeeper 5.4
18
+ - [#103] Add support for end_session_endpoint
19
+ - [#109] Test against Ruby 2.7 & Rails 6.x
20
+
21
+ ## v1.7.1 (2020-02-07)
22
+
23
+ ### Upgrading
24
+
25
+ This version adds `on_delete: :cascade` to the migration template for the `oauth_openid_requests` table, in order to fix #82.
26
+
27
+ For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with `on_delete: :cascade` included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
28
+
29
+ ```ruby
30
+ class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
31
+ def up
32
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
33
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
34
+ end
35
+
36
+ def down
37
+ remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
38
+ add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
39
+ end
40
+ end
41
+ ```
42
+
43
+ ### Bugfixes
44
+
45
+ - [#96] Bump `json-jwt` because of CVE-2019-18848 (thanks to @leleabhinav)
46
+ - [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
47
+ - [#98] Cascade deletes from `oauth_openid_requests` to `oauth_access_grants` (thanks to @manojmj92)
48
+ - [#99] Fix `audience` claim when application is not set on access token (thanks to @ionut998)
49
+
50
+ ## v1.7.0 (2019-11-04)
51
+
52
+ ### Changes
53
+
54
+ - [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4
55
+
56
+ ## v1.6.3 (2019-09-24)
57
+
58
+ ### Changes
59
+
60
+ - [#81] Allow silent authentication without user consent (thanks to @jarosan)
61
+ - Don't support Doorkeeper >= 5.2 due to breaking changes
4
62
 
5
63
  ## v1.6.2 (2019-08-09)
6
64
 
data/README.md CHANGED
@@ -4,6 +4,8 @@
4
4
  [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
5
5
  [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
6
6
 
7
+ #### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
8
+
7
9
  This library implements an [OpenID Connect](http://openid.net/connect/) authentication provider for Rails applications on top of the [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) OAuth 2.0 framework.
8
10
 
9
11
  OpenID Connect is a single-sign-on and identity layer with a [growing list of server and client implementations](http://openid.net/developers/libraries/). If you're looking for a client in Ruby check out [omniauth_openid_connect](https://github.com/m0n9oose/omniauth_openid_connect/).
@@ -137,6 +139,10 @@ The following settings are optional, but recommended for better client compatibi
137
139
  - Defines how to trigger reauthentication for the current user (e.g. display a password prompt, or sign-out the user and redirect to the login form).
138
140
  - Required to support the `max_age` and `prompt=login` parameters.
139
141
  - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
142
+ - `select_account_for_resource_owner`
143
+ - Defines how to trigger account selection to choose the current login user.
144
+ - Required to support the `prompt=select_account` parameter.
145
+ - The block is executed in the controller's scope, so you have access to methods like `params`, `redirect_to` etc.
140
146
 
141
147
  The following settings are optional:
142
148
 
@@ -150,6 +156,11 @@ The following settings are optional:
150
156
  - Note that the OIDC specification mandates HTTPS, so you shouldn't change this
151
157
  for production environments unless you have a really good reason!
152
158
 
159
+ - `end_session_endpoint`
160
+ - The URL that the user is redirected to after ending the session on the client.
161
+ - Used by implementations like https://github.com/IdentityModel/oidc-client-js.
162
+ - The block is executed in the controller's scope, so you have access to your route helpers.
163
+
153
164
  ### Scopes
154
165
 
155
166
  To perform authentication over OpenID Connect, an OAuth client needs to request the `openid` scope. This scope needs to be enabled using either `optional_scopes` in the global Doorkeeper configuration in `config/initializers/doorkeeper.rb`, or by adding it to any OAuth application's `scope` attribute.
@@ -0,0 +1,17 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
4
+
5
+ module Doorkeeper
6
+ class AuthorizationsController
7
+ module AuthorizationsExtension
8
+ private
9
+
10
+ def pre_auth_param_fields
11
+ super.append(:nonce)
12
+ end
13
+ end
14
+
15
+ Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
16
+ end
17
+ end
@@ -1,9 +1,11 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  class DiscoveryController < ::Doorkeeper::ApplicationController
4
6
  include Doorkeeper::Helpers::Controller
5
7
 
6
- WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'.freeze
8
+ WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
7
9
 
8
10
  def provider
9
11
  render json: provider_response
@@ -30,21 +32,19 @@ module Doorkeeper
30
32
  introspection_endpoint: oauth_introspect_url(protocol: protocol),
31
33
  userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
32
34
  jwks_uri: oauth_discovery_keys_url(protocol: protocol),
35
+ end_session_endpoint: openid_connect.end_session_endpoint.call,
33
36
 
34
37
  scopes_supported: doorkeeper.scopes,
35
38
 
36
39
  # TODO: support id_token response type
37
40
  response_types_supported: doorkeeper.authorization_response_types,
38
- response_modes_supported: [ 'query', 'fragment' ],
39
-
40
- token_endpoint_auth_methods_supported: [
41
- 'client_secret_basic',
42
- 'client_secret_post',
41
+ response_modes_supported: %w[query fragment],
42
+ grant_types_supported: grant_types_supported(doorkeeper),
43
43
 
44
- # TODO: look into doorkeeper-jwt_assertion for these
45
- #'client_secret_jwt',
46
- #'private_key_jwt'
47
- ],
44
+ # TODO: look into doorkeeper-jwt_assertion for these
45
+ # 'client_secret_jwt',
46
+ # 'private_key_jwt'
47
+ token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
48
48
 
49
49
  subject_types_supported: openid_connect.subject_types_supported,
50
50
 
@@ -56,18 +56,24 @@ module Doorkeeper
56
56
  'normal',
57
57
 
58
58
  # TODO: support these
59
- #'aggregated',
60
- #'distributed',
59
+ # 'aggregated',
60
+ # 'distributed',
61
61
  ],
62
62
 
63
- claims_supported: [
64
- 'iss',
65
- 'sub',
66
- 'aud',
67
- 'exp',
68
- 'iat',
63
+ claims_supported: %w[
64
+ iss
65
+ sub
66
+ aud
67
+ exp
68
+ iat
69
69
  ] | openid_connect.claims.to_h.keys,
70
- }
70
+ }.compact
71
+ end
72
+
73
+ def grant_types_supported(doorkeeper)
74
+ grant_types_supported = doorkeeper.grant_flows
75
+ grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
76
+ grant_types_supported
71
77
  end
72
78
 
73
79
  def webfinger_response
@@ -1,7 +1,11 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  class UserinfoController < ::Doorkeeper::ApplicationController
4
- skip_before_action :verify_authenticity_token
6
+ unless Doorkeeper.config.api_only
7
+ skip_before_action :verify_authenticity_token
8
+ end
5
9
  before_action -> { doorkeeper_authorize! :openid }
6
10
 
7
11
  def show
@@ -19,4 +19,5 @@ en:
19
19
  resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
20
20
  auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
21
21
  reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
22
+ select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
22
23
  subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OAuth
3
5
  class IdTokenRequest
@@ -9,18 +11,18 @@ module Doorkeeper
9
11
  end
10
12
 
11
13
  def authorize
12
- if pre_auth.authorizable?
13
- @auth = Authorization::Token.new(pre_auth, resource_owner)
14
- @auth.issue_token
15
- @response = response
14
+ @auth = Authorization::Token.new(pre_auth, resource_owner)
15
+ if @auth.respond_to?(:issue_token!)
16
+ @auth.issue_token!
16
17
  else
17
- @response = error_response
18
+ @auth.issue_token
18
19
  end
20
+ response
19
21
  end
20
22
 
21
23
  def deny
22
24
  pre_auth.error = :access_denied
23
- error_response
25
+ pre_auth.error_response
24
26
  end
25
27
 
26
28
  private
@@ -30,12 +32,6 @@ module Doorkeeper
30
32
 
31
33
  IdTokenResponse.new(pre_auth, auth, id_token)
32
34
  end
33
-
34
- def error_response
35
- ErrorResponse.from_request pre_auth,
36
- redirect_uri: pre_auth.redirect_uri,
37
- response_on_fragment: true
38
- end
39
35
  end
40
36
  end
41
37
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OAuth
3
5
  class IdTokenResponse < BaseResponse
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OAuth
3
5
  class IdTokenTokenRequest < IdTokenRequest
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OAuth
3
5
  class IdTokenTokenResponse < IdTokenResponse
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'doorkeeper'
2
4
  require 'active_model'
3
5
  require 'json/jwt'
@@ -20,6 +22,7 @@ require 'doorkeeper/openid_connect/errors'
20
22
  require 'doorkeeper/openid_connect/id_token'
21
23
  require 'doorkeeper/openid_connect/id_token_token'
22
24
  require 'doorkeeper/openid_connect/user_info'
25
+ require 'doorkeeper/openid_connect/response_mode'
23
26
  require 'doorkeeper/openid_connect/version'
24
27
 
25
28
  require 'doorkeeper/openid_connect/helpers/controller'
@@ -42,7 +45,7 @@ module Doorkeeper
42
45
 
43
46
  def self.signing_key
44
47
  key =
45
- if [:HS256, :HS384, :HS512].include?(signing_algorithm)
48
+ if %i[HS256 HS384 HS512].include?(signing_algorithm)
46
49
  configuration.signing_key
47
50
  else
48
51
  OpenSSL::PKey.read(configuration.signing_key)
@@ -61,5 +64,27 @@ module Doorkeeper
61
64
  key.slice(:kty, :kid)
62
65
  end
63
66
  end
67
+
68
+ if defined?(::Doorkeeper::GrantFlow)
69
+ Doorkeeper::GrantFlow.register(
70
+ :id_token,
71
+ response_type_matches: 'id_token',
72
+ response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
73
+ )
74
+
75
+ Doorkeeper::GrantFlow.register(
76
+ 'id_token token',
77
+ response_type_matches: 'id_token token',
78
+ response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
79
+ )
80
+
81
+ Doorkeeper::GrantFlow.register_alias(
82
+ 'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
83
+ )
84
+ else
85
+ # TODO: drop this and corresponding file when we will set minimal
86
+ # required Doorkeeper version to 5.5.
87
+ Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
88
+ end
64
89
  end
65
90
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  module Claims
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  module Claims
@@ -11,10 +13,10 @@ module Doorkeeper
11
13
  name family_name given_name middle_name nickname preferred_username
12
14
  profile picture website gender birthdate zoneinfo locale updated_at
13
15
  ],
14
- email: %i[ email email_verified ],
15
- address: %i[ address ],
16
- phone: %i[ phone_number phone_number_verified ],
17
- }
16
+ email: %i[email email_verified],
17
+ address: %i[address],
18
+ phone: %i[phone_number phone_number_verified],
19
+ }.freeze
18
20
 
19
21
  def initialize(options = {})
20
22
  @name = options[:name].to_sym
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  module Claims
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  module Claims
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'ostruct'
2
4
 
3
5
  module Doorkeeper
@@ -31,7 +33,7 @@ module Doorkeeper
31
33
  generator: block
32
34
  )
33
35
  end
34
- alias_method :claim, :normal_claim
36
+ alias claim normal_claim
35
37
  end
36
38
  end
37
39
  end
@@ -1,15 +1,17 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Doorkeeper
2
4
  module OpenidConnect
3
5
  def self.configure(&block)
4
6
  if Doorkeeper.configuration.orm != :active_record
5
- fail Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
7
+ raise Errors::InvalidConfiguration, 'Doorkeeper OpenID Connect currently only supports the ActiveRecord ORM adapter'
6
8
  end
7
9
 
8
10
  @config = Config::Builder.new(&block).build
9
11
  end
10
12
 
11
13
  def self.configuration
12
- @config || (fail Errors::MissingConfiguration)
14
+ @config || (raise Errors::MissingConfiguration)
13
15
  end
14
16
 
15
17
  class Config
@@ -23,12 +25,12 @@ module Doorkeeper
23
25
  @config
24
26
  end
25
27
 
26
- def jws_public_key(*args)
27
- puts "DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
28
+ def jws_public_key(*_args)
29
+ puts 'DEPRECATION WARNING: `jws_public_key` is not needed anymore and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
28
30
  end
29
31
 
30
32
  def jws_private_key(*args)
31
- puts "DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb"
33
+ puts 'DEPRECATION WARNING: `jws_private_key` has been replaced by `signing_key` and will be removed in a future version, please remove it from config/initializers/doorkeeper_openid_connect.rb'
32
34
  signing_key(*args)
33
35
  end
34
36
  end
@@ -71,7 +73,7 @@ module Doorkeeper
71
73
  value = if attribute_builder
72
74
  attribute_builder.new(&block).build
73
75
  else
74
- block ? block : args.first
76
+ block || args.first
75
77
  end
76
78
 
77
79
  @config.instance_variable_set(:"@#{attribute}", value)
@@ -102,19 +104,23 @@ module Doorkeeper
102
104
  option :subject_types_supported, default: [:public]
103
105
 
104
106
  option :resource_owner_from_access_token, default: lambda { |*_|
105
- fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
107
+ raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.resource_owner_from_access_token_not_configured')
106
108
  }
107
109
 
108
110
  option :auth_time_from_resource_owner, default: lambda { |*_|
109
- fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
111
+ raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.auth_time_from_resource_owner_not_configured')
110
112
  }
111
113
 
112
114
  option :reauthenticate_resource_owner, default: lambda { |*_|
113
- fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
115
+ raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.reauthenticate_resource_owner_not_configured')
116
+ }
117
+
118
+ option :select_account_for_resource_owner, default: lambda { |*_|
119
+ raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.select_account_for_resource_owner_not_configured')
114
120
  }
115
121
 
116
122
  option :subject, default: lambda { |*_|
117
- fail Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
123
+ raise Errors::InvalidConfiguration, I18n.translate('doorkeeper.openid_connect.errors.messages.subject_not_configured')
118
124
  }
119
125
 
120
126
  option :expiration, default: 120
@@ -124,6 +130,10 @@ module Doorkeeper
124
130
  option :protocol, default: lambda { |*_|
125
131
  ::Rails.env.production? ? :https : :http
126
132
  }
133
+
134
+ option :end_session_endpoint, default: lambda { |*_|
135
+ nil
136
+ }
127
137
  end
128
138
  end
129
139
  end